Washington state data breach: Office of the Courts was hacked

OLYMPIA -- The Washington state Administrative Office of the Courts was hacked sometime between last fall and February, and up to 160,000 Social Security numbers and 1 million driver's license numbers may have been accessed during the data breach of its public website, officials said Thursday.

Court officials said they have only confirmed that 94 Social Security numbers were obtained and they don't believe the larger number was compromised, but they wanted to alert the public to the possibility as a precaution.

The breach happened due to vulnerability in an Adobe Systems Inc. software program, ColdFusion, that has since been patched, court officials said. The hack happened sometime after September but wasn't caught until February, they said.

Telephone and email messages were left for Adobe representatives seeking comment.

Mike Keeling, the courts' information technology operations and maintenance manager, said officials were alerted to the breach by a business on the East Coast that had a similar intrusion.

"They recognized our information in their breach log," Keeling said, which led them to install the patch provided by Adobe and start an investigation.

When court officials were first alerted to the breach, they believed all of the information accessed was public record, and didn't think confidential information was taken, but following an investigation by the Multi-State Information Sharing and Analysis Center, the broader breach was confirmed in April, said courts spokeswoman Wendy Ferrell.

Court officials said a law enforcement agency also investigated the case but they declined to say which one. They said the investigation was concluded and there was no information on who might be to blame.

Keeling said he didn't believe the courts were a specific target.

"The hackers were probably opportunistic," he said. "They were more than likely just fishing for data."

Ferrell said that once the breach was confirmed, it took additional time to go through the files and increase security to the website, which is why there was a lag in notifying the public. The 94 known names breached are being contacted by letter, she said. The rest of the people who are potentially affected come from a defined group:

-- Those booked into a city or county jail within the state of Washington between September 2011 and December 2012 may have had their name and Social Security number accessed.

-- Names and driver's license numbers may have been obtained from people who received a DUI citation in Washington state between 1989 through 2011, had a traffic case in Washington filed or resolved in a district or municipal court between 2011 and 2012, or had a superior court criminal case in Washington state that was filed against them or resolved between 2011 and 2012.

Keeling acknowledged that confidential information should have been kept in a different area, "and now they are."

"I can say nothing more than it was an oversight on our part," he said.

Keeling said officials have added a number of additional security measures, including isolating anything that could be sensitive into more protected areas, implementing code to prevent hackers from getting to other parts of a server, and new encryption rules.

Ferrell said no one from the Administrative Office of the Courts or any court in Washington state will be asking for personal information over the phone or via email related to the breach.

State officials have set up a website and hotline to answer public questions about the break: www.courts.wa.gov/databreach and 1-800-448-5584.

"Cybersecurity and cyberterrorism attacks continue to rise in number and sophistication every year, affecting the private and public sector, and countless individuals," Cockrill said in a written statement. "The AOC data breach is a sobering reminder for every branch and every level of government that protection of personal and confidential data entrusted to government is a paramount responsibility."